b'                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n                                            Independent Auditors\xe2\x80\x99 Report\n\nSecretary and Inspector General\nU.S. Department of Labor:\n\nWe have audited the accompanying consolidated balance sheets of the U.S. Department of Labor (DOL) as of\nSeptember 30, 2007 and 2006, and the related consolidated statements of net cost, changes in net position, and\ncustodial activity, and combined statements of budgetary resources for the years then ended; and the statements of\nsocial insurance as of September 30, 2007 and 2006 (hereinafter referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d).\nThe objective of our audits was to express an opinion on the fair presentation of these consolidated financial\nstatements. In connection with our fiscal year 2007 audit, we also considered the DOL\xe2\x80\x99s internal controls over\nfinancial reporting and performance measures and tested the DOL\xe2\x80\x99s compliance with certain provisions of applicable\nlaws, regulations, contracts, and grant agreements that could have a direct and material effect on these consolidated\nfinancial statements.\n\nWe have also examined DOL\xe2\x80\x99s compliance with section 803a of the Federal Financial Management Improvement\nAct of 1996 (FFMIA) as of September 30, 2007.\n\nSUMMARY\n\nAs stated in our opinion on the consolidated financial statements, we concluded that the DOL\xe2\x80\x99s consolidated\nfinancial statements as of and for the years ended September 30, 2007 and 2006, are presented fairly, in all material\nrespects, in conformity with U.S. generally accepted accounting principles.\n\nAs discussed in our opinion on the consolidated financial statements, DOL changed its method of reporting the\nreconciliation of budgetary resources obligated to the net cost of operations and its method of reporting the\nproprietary activities related to its allocation transfers in fiscal year 2007.\n\nOur consideration of internal control over financial reporting resulted in the following conditions being identified as\nsignificant deficiencies:\n\n      1. Lack of Adequate Controls over Access to Key Financial and Support Systems\n\n      2. Weakness Noted over Payroll Accounting\n\n      3. Weakness Noted over Budgetary Accounting\n\n      4. Lack of Segregation of Duties over Journal Entries\n\nHowever, none of the significant deficiencies are believed to be material weaknesses.\n\nWe noted no deficiencies involving the design of the internal control over the existence and completeness assertions\nrelated to key performance measures.\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements\ndisclosed two instances of Anti-deficiency Act noncompliance that are required to be reported under Government\n\n172     United States Department of Labor    KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                             member firm of KPMG International, a Swiss cooperative.\n\x0c                                                                                          Independent Auditors\xe2\x80\x99 Report\n\n\n\n\nAuditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget\n(OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements.\n\nAs stated in our opinion on DOL\xe2\x80\x99s compliance with FFMIA, we concluded that DOL complied, in all material\nrespects, with the requirements of FFMIA as of September 30, 2007.\n\nThe following sections discuss our opinion on the DOL\xe2\x80\x99s consolidated financial statements; our consideration of the\nDOL\xe2\x80\x99s internal controls over financial reporting and performance measures; our tests of the DOL\xe2\x80\x99s compliance with\ncertain provisions of applicable laws, regulations, contracts, and grant agreements; and management\xe2\x80\x99s and our\nresponsibilities.\n\nOPINION ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying consolidated balance sheets of the DOL as of September 30, 2007 and 2006, and\nthe related consolidated statements of net cost, changes in net position, and custodial activity, and the combined\nstatements of budgetary resources for the years then ended; and the statement of social insurance as of September 30,\n2007 and 2006. The accompanying statements of social insurance as of September 30, 2003 through 2005 were not\naudited by us and, accordingly, we do not express an opinion on them.\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the\nfinancial position of the U.S. Department of Labor as of September 30, 2007 and 2006, and its net costs, changes in\nnet position, budgetary resources, and custodial activity for the years then ended, and the financial condition of its\nsocial insurance program as of September 30, 2007 and 2006, in conformity with U.S. generally accepted accounting\nprinciples.\n\nAs discussed in Note 1B to the consolidated financial statements, DOL changed its method of reporting the\nreconciliation of budgetary resources obligated to the net cost of operations and its method of reporting the\nproprietary activities related to its allocation transfers in fiscal year 2007.\n\nThe information in the Management\xe2\x80\x99s Discussion and Analysis, Required Supplementary Stewardship Information,\nand Required Supplementary Information sections is not a required part of the consolidated financial statements, but\nis supplementary information required by U.S. generally accepted accounting principles and OMB Circular No. A-\n136, Financial Reporting Requirements. We have applied certain limited procedures, which consisted principally of\ninquiries of management regarding the methods of measurement and presentation of this information. However, we\ndid not audit this information and, accordingly, we express no opinion on it.\n\nThe information in the Secretary\xe2\x80\x99s Message, Performance Section, and Appendices are presented for purposes of\nadditional analysis and are not required as part of the consolidated financial statements. This information has not\nbeen subjected to auditing procedures and, accordingly, we express no opinion on it.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\n\nOur consideration of the internal control over financial reporting was for the limited purpose described in the\nResponsibilities section of this report and would not necessarily identify all deficiencies in the internal control over\nfinancial reporting that might be significant deficiencies or material weaknesses.\n\nA control deficiency exists when the design or operation of a control does not allow management or employees, in\nthe normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A\nsignificant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the DOL\xe2\x80\x99s\nability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally\naccepted accounting principles such that there is more than a remote likelihood that a misstatement of the DOL\xe2\x80\x99s\n\n                                                                FY 2007 Performance and Accountability Report      173\n\x0cFinancial Section\n\n\nconsolidated financial statements that is more than inconsequential will not be prevented or detected by the DOL\xe2\x80\x99s\ninternal control over financial reporting. A material weakness is a significant deficiency, or combination of\nsignificant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial\nstatements will not be prevented or detected by the DOL\xe2\x80\x99s internal control.\n\nIn our fiscal year 2007 audit, we consider the deficiencies described in Exhibit I to be significant deficiencies in\ninternal control over financial reporting. However, we believe that none of the significant deficiencies presented in\nExhibit I are material weaknesses.\n\nWe noted certain additional matters that we will report to management of DOL in a separate letter.\n\nINTERNAL CONTROL OVER PERFORMANCE MEASURES\n\nOur tests of internal control over performance measures, as described in the Responsibilities section of this report,\ndisclosed no deficiencies involving the design of the internal control over the existence and completeness assertions\nrelated to key performance measures.\n\nCOMPLIANCE AND OTHER MATTERS\n\nOur tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements, as described in\nthe Responsibilities section of this report, exclusive of those referred to in the Federal Financial Management\nImprovement Act of 1996 (FFMIA), disclosed two instances of Anti-deficiency Act noncompliance that are required\nto be reported herein under Government Auditing Standards or OMB Bulletin No. 07-04, and are described in\nExhibit II.\n\nThe results of our tests of compliance as described in the Responsibilities section of this report, exclusive of those\nreferred to in FFMIA, disclosed no other instances of noncompliance or other matters that are required to be reported\nherein under Government Auditing Standards or OMB Bulletin No. 07-04.\n\nOther Matter. DOL is currently reviewing two incidents regarding potential violations of the Anti-deficiency Act.\nAs of the date of this report, no final noncompliance determination has been made for either of the two incidents.\n\nWe noted certain additional matters that we will report to management of DOL in a separate letter.\n\nOPINION ON COMPLIANCE WITH FFMIA\n\nDOL represented that, in accordance with the provisions and requirements of FFMIA, the Secretary of Labor\ndetermined that the U.S. Department of Labor\xe2\x80\x99s financial management systems are in substantial compliance with\nFFMIA.\n\nWe have examined the U.S. Department of Labor\xe2\x80\x99s compliance with section 803a of the Federal Financial\nManagement Improvement Act of 1996 as of September 30, 2007. Under section 803a of FFMIA, DOL\xe2\x80\x99s financial\nmanagement systems are required to substantially comply with (1) Federal financial management systems\nrequirements, (2) applicable Federal accounting standards, and (3) the United States Government Standard General\nLedger at the transaction level. We used OMB\xe2\x80\x99s Revised Implementation Guidance for the Federal Financial\nManagement Improvement Act, dated January 4, 2001, to determine compliance.\n\nIn our opinion, the U.S. Department of Labor complied, in all material respects, with the aforementioned\nrequirements as of September 30, 2007.\n\n\n\n\n174   United States Department of Labor\n\x0c                                                                                           Independent Auditors\xe2\x80\x99 Report\n\n\n\n\nRESPONSIBILITIES\n\nManagement\xe2\x80\x99s Responsibilities. The United States Code Title 31 Section 3515 and 9106 require agencies to report\nannually to Congress on their financial status and any other information needed to fairly present their financial\nposition and results of operations. To meet these reporting requirements, the DOL prepares and submits financial\nstatements in accordance with OMB Circular No. A-136.\n\nManagement is responsible for the consolidated financial statements, including:\n\n\xe2\x80\xa2   Preparing the consolidated financial statements in conformity with U.S. generally accepted accounting principles;\n\n\xe2\x80\xa2   Preparing the Management\xe2\x80\x99s Discussion and Analysis (including the performance measures), Required\n    Supplementary Information, and Required Supplementary Stewardship Information;\n\n\xe2\x80\xa2   Establishing and maintaining effective internal control; and\n\n\xe2\x80\xa2   Complying with laws, regulations, contracts, and grant agreements applicable to the DOL, including FFMIA.\n\nIn fulfilling this responsibility, management is required to make estimates and judgments to assess the expected\nbenefits and related costs of internal control policies.\n\nAuditors\xe2\x80\x99 Responsibilities. Our responsibility is to express an opinion on the fiscal year 2007 and 2006\nconsolidated financial statements of the DOL based on our audits. We conducted our audits in accordance with\nauditing standards generally accepted in the United States of America; the standards applicable to financial audits\ncontained in Government Auditing Standards, issued by the Comptroller General of the United States; and OMB\nBulletin No. 07-04. Those standards and OMB Bulletin No. 07-04 require that we plan and perform the audits to\nobtain reasonable assurance about whether the consolidated financial statements are free of material misstatement.\nAn audit includes consideration of internal control over financial reporting as a basis for designing audit procedures\nthat are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the\nDOL\xe2\x80\x99s internal control over financial reporting. Accordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2   Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated financial\n    statements;\n\n\xe2\x80\xa2   Assessing the accounting principles used and significant estimates made by management; and\n\n\xe2\x80\xa2   Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2007 audit, we considered the DOL\xe2\x80\x99s internal control over financial\nreporting by obtaining an understanding of the DOL\xe2\x80\x99s internal control, determining whether internal controls had\nbeen placed in operation, assessing control risk, and performing tests of controls as a basis for designing our auditing\nprocedures for the purpose of expressing our opinion on the consolidated financial statements. We limited our\ninternal control testing to those controls necessary to achieve the objectives described in Government Auditing\nStandards and OMB Bulletin No. 07-04. We did not test all internal controls relevant to operating objectives as\nbroadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982. The objective of our audit was not to\n\n\n\n                                                                   FY 2007 Performance and Accountability Report   175\n\x0cFinancial Section\n\n\nexpress an opinion on the effectiveness of the DOL\xe2\x80\x99s internal control over financial reporting. Accordingly, we do\nnot express an opinion on the effectiveness of the DOL\xe2\x80\x99s internal control over financial reporting.\n\nAs required by OMB Bulletin No. 07-04 in our fiscal year 2007 audit, with respect to internal control related to\nperformance measures determined by management to be key and reported in the Management\xe2\x80\x99s Discussion and\nAnalysis and Performance sections, we obtained an understanding of the design of internal controls relating to the\nexistence and completeness assertions and determined whether these internal controls had been placed in operation.\nWe limited our testing to those controls necessary to report deficiencies in the design of internal control over key\nperformance measures in accordance with OMB Bulletin 07-04. However, our procedures were not designed to\nprovide an opinion on internal control over reported performance measures and, accordingly, we do not provide an\nopinion thereon.\n\nAs part of obtaining reasonable assurance about whether the DOL\xe2\x80\x99s fiscal year 2007 consolidated financial\nstatements are free of material misstatement, we performed tests of the DOL\xe2\x80\x99s compliance with certain provisions of\nlaws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect\non the determination of the consolidated financial statement amounts, and certain provisions of other laws and\nregulations specified in OMB Bulletin No. 07-04, including certain provisions referred to in FFMIA. We limited our\ntests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all\nlaws, regulations, contracts, and grant agreements applicable to the DOL. However, providing an opinion on\ncompliance with laws, regulations, contracts, and grant agreements was not an objective of our audit and,\naccordingly, we do not express such an opinion.\n\nOur responsibility also included expressing an opinion on DOL\xe2\x80\x99s compliance with FFMIA section 803a requirements\nas of September 30, 2007, based on our examination. Our examination was conducted in accordance with attestation\nstandards established by the American Institute of Certified Public Accountants and the standards applicable to\nattestation engagements contained in Government Auditing Standards issued by the Comptroller General of the\nUnited States and, accordingly, included examining, on a test basis, evidence about DOL\xe2\x80\x99s compliance with the\nrequirements of FFMIA section 803a and performing such other procedures as we considered necessary in the\ncircumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does\nnot provide a legal determination on DOL\xe2\x80\x99s compliance with specified requirements.\n______________________________\n\nThe DOL\xe2\x80\x99s response to the findings identified in our audit is summarized in Exhibit I. We did not audit the DOL\xe2\x80\x99s\nresponse and, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of the DOL\xe2\x80\x99s management, the DOL\xe2\x80\x99s Office of Inspector\nGeneral, OMB, the U.S. Government Accountability Office, and the U.S. Congress and is not intended to be and\nshould not be used by anyone other than these specified parties.\n\n\n\n\nNovember 9, 2007\n\n\n\n\n176   United States Department of Labor\n\x0c                                                                                        Independent Auditors\xe2\x80\x99 Report\n\n                                                                                              Significant Deficiencies\n                                                                                                              Exhibit I\n\n\n1. Lack of Adequate Controls over Access to Key Financial and Support Systems\n\n   The Office of Inspector General (OIG) has been reporting access control weaknesses over the U.S. Department of\n   Labor\xe2\x80\x99s (DOL) financial systems since fiscal year (FY) 2001 and application access control weaknesses since FY\n   2004. In FY 2006, we reported two reportable conditions relating to system access controls over financial\n   reporting:\n\n   \xe2\x80\xa2   Lack of Strong Application Controls over Access to and Protection of Financial Information, and\n   \xe2\x80\xa2   Lack of Strong Logistical Security Controls to Secure DOL\xe2\x80\x99s Networks and Information.\n\n   The OIG recommended that management:\n\n   \xe2\x80\xa2   Verify that specific security weaknesses identified during the audits are communicated to DOL agencies and\n       included in each individual agency\xe2\x80\x99s Plan of Actions & Milestones (POAM), and that appropriate and timely\n       corrective action is taken on the identified weaknesses;\n   \xe2\x80\xa2   Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address\n       logical access and security control weaknesses on current financial management systems; and\n   \xe2\x80\xa2   Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address\n       systemic application access control weaknesses in current financial management systems\n\n   During our FY 2007 audit, we noted that 51 prior year agency-specific recommendations addressing access\n   controls have not been corrected (12 in the Office of the Chief Financial Officer (OCFO), 13 in the Employment\n   and Training Administration (ETA), 12 in the Office of the Assistant Secretary for Administrative Management\n   (OASAM), and 14 in the Employment Standards Administration (ESA)). In addition, in FY 2007, we identified\n   weaknesses that resulted in 112 new recommendations related to access controls (23 in the OCFO, 52 in ETA, 20\n   in OASAM, and 17 in ESA). The specific nature of these weaknesses, their causes, and the systems impacted by\n   them has been communicated separately to management.\n\n   New weaknesses detected during FY 2007 and the prior year control weaknesses represent a significant\n   deficiency over access to key financial and support systems. These weaknesses include deficiencies in key\n   financial information technology (IT) controls in the areas of security and system software controls that directly\n   impact access to financial systems.\n\n   In summary, we noted issues with account management, configuration management, and review of system audit\n   logs in our FY 2007 testing of DOL\xe2\x80\x99s IT systems, each of which present a reasonably possible chance to\n   adversely affect DOL\xe2\x80\x99s ability to initiate, authorize, record, process or report DOL financial data. Specifically,\n   the following control weaknesses were present in multiple financial systems across various DOL agencies.\n\n   \xe2\x80\xa2   Account Management\n       - Account management controls were not consistently performed, such as incomplete or missing access\n          request, modification, and termination forms;\n       - Periodic user account reviews or re-certifications were not performed;\n       - Inactive accounts were not disabled or deleted in a timely manner;\n       - Generic accounts existed on systems;\n       - Access authorization, recertification, and periodic reviews of data center access were not consistent with\n          policies; and\n       - Terminated personnel had active system accounts, and in some cases terminated employees accessed\n          systems after their termination date.\n\n\n\n\n                                                              FY 2007 Performance and Accountability Report       177\n\x0cFinancial Section\n\n\n\n\n      \xe2\x80\xa2    Configuration Management\n           - Technical security standards and policies need to be updated and implemented to include stronger logical\n              access security controls. Specifically, patches were not applied to systems in a timely manner;\n              unnecessary services were not disabled; and access to sensitive files, directories, or software was not\n              restricted;\n           - Production servers were not configured in accordance with baseline configurations or to the most\n              appropriate settings;\n           - Password settings do not comply with the Office of the Chief Information Officer (OCIO) Computer\n              Security Handbook (CSH); and\n           - Network permissions which allow users to access resources remotely that was not appropriately\n              restricted.\n\n      \xe2\x80\xa2    Review of System Audit Logs\n           - Audit logs monitoring user and administrator activity, changes to security profiles, remote access logs,\n              access to sensitive directories, and failed login attempts are not reviewed, or documentation of audit log\n              reviews was not maintained;\n           - Audit log review procedures were not documented;\n           - Audit logs were not secured against editing by system administrators; and\n           - Application level audit logs (e.g., significant transactions and changes to sensitive tables) were not\n              proactively reviewed.\n\n      These findings are a result of issues in the implementation and monitoring of Departmental processes and\n      procedures. For example, management has not incorporated adequate testing of system controls as part of their\n      Office of Management and Budget (OMB) Management and Control (OMB Circular No. A-123) program.\n      These access control weaknesses could lead to users with inappropriate access to financial systems; inefficient\n      processes; lack of completeness, accuracy, or integrity of financial data; and/or the lack of detection of unusual\n      activity within financial systems. In addition, as a result of the identified weaknesses, the DOL OIG reported an\n      access control significant deficiency in conjunction with its FY 2007 testing of compliance with the Federal\n      Information Security Management Act (FISMA), which was passed as part of the Electronic Government Act of\n      2002.\n\n      Based on these facts noted as part of our FY 2007 audit, we revised the status of the recommendations related to\n      this finding from resolved and open to unresolved. Additionally, we recommend that management complete\n      the following actions to address the specific issues identified during our FY 2007 audit:\n\n      1. Identify key financial IT controls and incorporate them into DOL\xe2\x80\x99s internal control OMB Circular No. A-123\n         testing process, to ensure that these controls are documented and operating effectively during the year.\n\n      2. Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address\n         access control weaknesses in current financial management systems.\n\n      Management\xe2\x80\x99s Response: Management is pursuing an aggressive remediation process that has resulted in\n      substantial improvements to the Department\xe2\x80\x99s overall IT control environment. Management continues to believe\n      that controls inherent to specific applications, as well as manual and other compensating controls already in\n      place, are sufficiently designed and effective to prevent or detect unauthorized access to DOL financial systems.\n      Management concurs with and will implement the auditor\xe2\x80\x99s 2007 recommendations to enhance the testing of key\n      controls as part of DOL\xe2\x80\x99s A-123 program. DOL\xe2\x80\x99s Office of Chief Information Officer operates a monitoring\n      program that is applied on a quarterly, semiannual and annual basis for every DOL major information system to\n      determine security control implementation compliance. The monitoring program ensures that agencies document\n      all identified weaknesses, regardless of the oversight sources in the agencies\xe2\x80\x99 system-specific Plans of Actions\n      and Milestones (PO&AM). DOL has enhanced its security control testing and evaluation (SCT&E) program\n\n\n178       United States Department of Labor\n\x0c                                                                                        Independent Auditors\xe2\x80\x99 Report\n\n                                                                                              Significant Deficiencies\n                                                                                                              Exhibit I\n\n\n   which will provide detailed reporting on and tracking of agency access control deficiencies and will closely\n   address the access control and configuration management controls areas identified by the OIG in the FY 2007\n   FISMA consolidated report.\n\n   Auditor Response. Based on management\xe2\x80\x99s response, the unresolved recommendations cited above are now\n   resolved and open.\n\n\n2. Weakness Noted over Payroll Accounting\n\n   During FY 2006, the U.S. Department of Agriculture\xe2\x80\x99s (USDA) Office of Chief Financial Officer\n   (OCFO)/National Finance Center (NFC) processed DOL\xe2\x80\x99s payroll. The Fiscal Year 2006 \xe2\x80\x93 Office of the Chief\n   Financial Officer/National Finance Center General Control Review dated September 21, 2006, and issued by the\n   USDA\xe2\x80\x99s Office of Inspector General (Report No. 11401-24-FM) reported a qualified opinion regarding the\n   effectiveness of NFC\xe2\x80\x99s internal controls for the period October 1, 2005 through June 30, 2006. During FY 2006,\n   DOL did not have policies and procedures in place to reconcile the payroll information it submitted to the NFC\n   to that received and processed by the NFC.\n\n   For each FY 2006 pay period, DOL submitted to the NFC payroll information that included all DOL employees\n   for the period, along with their hours worked, leave used, and other payroll related information for the period.\n   The NFC processed the payroll for DOL each period and made available for download a Detail Pay and Deduct\n   Register report for each DOL Human Resources office. We noted that DOL did not utilize these reports to\n   perform reviews or reconciliations of data processed by the NFC, and no other controls were in place during the\n   year to ensure that what was submitted to NFC via Time and Attendance records were reconciled to what was\n   shown as paid in the Detail Pay and Deduct Register.\n\n   We recommended that management develop and implement policies and procedures to reconcile payroll\n   information provided to the NFC to the payroll information processed by the NFC each pay period. These\n   reconciliations should be documented, reviewed and approved by an appropriate supervisor, and maintained.\n\n   During FY 2007, the NFC continued to process DOL\xe2\x80\x99s payroll. The Fiscal Year 2007 \xe2\x80\x93 Office of the Chief\n   Financial Officer/National Finance Center General Control Review dated September 27, 2007, and issued by the\n   USDA\xe2\x80\x99s Office of Inspector General (Report No. 11401-26-FM) reported a qualified opinion regarding the\n   effectiveness of NFC\xe2\x80\x99s internal controls for the period July 1, 2006 through June 30, 2007.\n\n   As part of DOL\xe2\x80\x99s corrective action plan for FY 2007, the OCFO\xe2\x80\x99s PeoplePower Task Force created a Time and\n   Attendance Reconciliation Report based on the NFC\xe2\x80\x99s Detail Pay and Deduct Register to be used to reconcile\n   information sent to NFC to that received and processed by NFC. In March 2007, the DOL OCFO issued policies\n   and procedures that state that each DOL Human Resource office should review the Time and Attendance\n   Reconciliation Reports each pay period and research and resolve differences identified. No offices that we tested\n   complied with the new OCFO procedures, but two offices that we tested performed their own reconciliation\n   procedures. The lack of reconciliation controls implemented department-wide around the NFC outputs,\n   compounded by the control weaknesses identified at the NFC, increased the risk that payroll-related line items in\n   the FY 2007 financial statements could be misstated because of errors in payroll processing by the NFC.\n\n   Federal agencies that use external service providers, such as the NFC, should have controls in place to ensure the\n   accuracy of processing outputs. As stated by the USDA OIG in its FY 2007 Report No. 11401-26-FM, \xe2\x80\x9cThe\n   accuracy and reliability of data processed by OCFO/NFC and the resultant reports rests with the customer agency\n   and any compensating controls implemented by the agencies.\xe2\x80\x9d\n\n\n\n\n                                                              FY 2007 Performance and Accountability Report       179\n\x0cFinancial Section\n\n\n\n\n      OMB Circular No. 123, Management\xe2\x80\x99s Responsibility for Internal Control, states, \xe2\x80\x9cApplication control should be\n      designed to ensure that transactions are properly authorized and processed accurately and that the data is valid\n      and complete. Controls should be established at an application\xe2\x80\x99s interfaces to verify inputs and outputs, such as\n      edit checks.\xe2\x80\x9d Additionally, per the Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal Control\n      in the Federal Government, \xe2\x80\x9cInternal control should generally be designed to assure that ongoing monitoring\n      occurs in the course of normal operations. It is performed continually and is ingrained in the agency\xe2\x80\x99s\n      operations. It includes regular management and supervisory activities, comparisons, reconciliations, and other\n      actions people take in performing their duties.\xe2\x80\x9d\n\n      Although the OCFO issued the policies and procedures discussed above, DOL did not implement these policies\n      and procedures, and the OCFO did not monitor to ensure that the reconciliations were completed, documented,\n      reviewed and approved by an appropriate supervisor, and maintained. As such, we consider the recommendation\n      we made in FY 2006 as resolved and open. To close this recommendation in the future, the DOL OCFO should\n      ensure (a) that Human Resource offices are reconciling payroll information provided to the NFC to the payroll\n      information processed by the NFC each pay period in compliance with DOL\xe2\x80\x99s current policies and procedures,\n      and (b) that these reconciliations are documented, reviewed and approved by an appropriate supervisor, and\n      maintained.\n\n      Management\xe2\x80\x99s Response: Management accepts that more uniform reconciliation procedures and monitoring\n      would improve internal controls for payroll expenses. As such, OCFO issued a policy memorandum on October\n      23, 2007, to agencies requiring monthly reconciliation of NFC payroll expenses to DOL payroll personnel data\n      and maintenance of documentation of the work performed. OCFO will perform a monthly reconciliation audit\n      on a sample basis. These audits will begin in FY 2008 and documentation of each audit will be maintained.\n\n\n3. Weakness Noted over Budgetary Accounting\n\n      During FY 2006, we reported that the OCFO did not complete timely reconciliations related to the\n      Apportionment and Reapportionment Schedules (SF-132) and the Report on Budget Execution and Budgetary\n      Resources (SF-133). We recommended that management ensure that current policies and procedures over SF-\n      132 and SF-133 reconciliations are enhanced to require (a) quarterly reconciliations be prepared and\n      documented, (b) the completion of documented supervisory reviews over the reconciliations, and (c) the\n      completion of these procedures by a certain date (e.g., 15 days after each quarter-end).\n\n      During our FY 2007 audit work, we requested quarterly reconciliations of the SF-132 to the SF-133. However,\n      the first quarter reconciliation was not completed, and the second quarter reconciliation was not provided to us\n      until June 2007. In addition, these reconciliations identified several necessary corrections to amounts posted in\n      the general ledger, and various differences remained unresolved. We also requested the reconciliation of the FY\n      2006 Statement of Budgetary Resources (SBR) to the FY 2006 President\xe2\x80\x99s Budget of the United States; however,\n      we noted the reconciliation was not reviewed timely. FY 2006 and 2007, the OCFO did not have adequate\n      resources and did not adequately enforce policies to ensure the reconciliations were completed and any identified\n      reconciling items resolved in a timely manner. The lack of timely and complete reconciliations increases the risk\n      that material differences in external reports and in the general ledger may not be detected and corrected in a\n      timely manner during the year or for year-end reporting.\n\n      Additionally in FY 2006, we reported that 6 of the 10 requested budgetary to proprietary account relationship\n      tests were not completed as of March 31, 2006, and explanations were not provided for variances identified in the\n      four analyses that were completed. We recommended that management develop and implement policies and\n      procedures that require (a) the preparation and documentation of quarterly budgetary to proprietary relationship\n      analyses, (b) the completion of documented supervisory reviews over the analyses, and (c) the completion of\n      these analyses by a certain date (e.g., 15 days after each quarter-end).\n\n\n180     United States Department of Labor\n\x0c                                                                                          Independent Auditors\xe2\x80\x99 Report\n\n                                                                                                Significant Deficiencies\n                                                                                                                Exhibit I\n\n\n\n\n    During our FY 2007 procedures over budgetary to proprietary account relationship analyses, we noted that the\n    OCFO is in the process of automating this analysis and is developing a review policy over the automated\n    analysis. However, the automated analysis and review policy had not been completed and performed during the\n    fiscal year. The lack of timely and complete budgetary to proprietary analyses increases the risk that material\n    differences in external reports and in the general ledger may not be detected and corrected in a timely manner\n    during the year or for year-end reporting.\n\n    Furthermore, we identified certain errors during our FY 2007 Treasury warrant budgetary testwork that could\n    have been detected by the analysis and reconciliation controls discussed above. Specifically, three budgetary and\n    proprietary entries were not posted concurrently; requiring a net $22 million adjustment to increase budget\n    authority, and one budgetary entry was miscoded to the incorrect budgetary account, requiring a $693 million\n    reclassification entry. In FY 2007, we also identified the improper use of certain U.S. Standard General Ledger\n    (USSGL) accounts related to obligation adjustments in certain situations.\n\n    Per GAO\xe2\x80\x99s Standards of Internal Control in the Federal Government, \xe2\x80\x9cInternal control should generally be\n    designed to assure that ongoing monitoring occurs in the course of normal operations. It is performed\n    continually and is ingrained in the agency\xe2\x80\x99s operations. It includes regular management and supervisory\n    activities, comparisons, reconciliations, and other actions people take in performing their duties.\xe2\x80\x9d In addition, it\n    states, \xe2\x80\x9cControl activities occur at all levels and functions of the entity. They include a wide range of diverse\n    activities such as approvals, authorizations, verifications, reconciliations, performance reviews, maintenance of\n    security, and the creation and maintenance of related records which provide evidence of execution of these\n    activities as well as appropriate documentation.\xe2\x80\x9d\n\n    According to OMB\xe2\x80\x99s Circular No. A-136 (June 2007), section II.4.6.11, \xe2\x80\x9c\xe2\x80\xa6Information on the SBR should be\n    reconcilable to the budget execution information reported on the SF 133 Report on Budget Execution and\n    Budgetary Resources and with information reported in the Budget of the United States Government to ensure the\n    integrity of the numbers presented. The SBR is an agency-wide report, which aggregates account-level\n    information reported in the SF 133. Consistency between information presented in the financial statements and\n    the Budget of the United States Government is critical to ensure the integrity of the numbers presented. The\n    FACTS II helps to ensure the consistency of data. The FACTS II data submitted by agencies are USSGL-based\n    trial balances, which are used to populate the SF 133 and the actual column of the Program and Financing\n    Schedule of the Budget. The USSGL-based trial balance is also used to prepare the SBR.\xe2\x80\x9d\n\n    Since the OCFO did not complete the budgetary and proprietary analysis during FY 2007 and did not complete\n    the SF-132 to SF-133 reconciliations accurately and timely, the recommendations we made in FY 2006 remain\n    resolved and open.\n\n    We also recommend that management develop clearly defined transaction codes within DOLAR$ to ensure that\n    adjustments to obligations are recorded in the proper USSGL account depending on the situation and strengthen\n    manual controls related to the processing of obligation adjustments. This recommendation is resolved and open.\n\n    Management\xe2\x80\x99s Response: Management is confident that the design and effectiveness of its four layers of\n    operating controls used for end-of-year financial reporting would detect improper balances in the relationships\n    between budgetary and proprietary accounts. These controls ensure the reliability of data for end-of-year\n    financial reporting.\n\n\n\n\n1Also cited in the July 2006 version of OMB Circular No. A-136, section II.4.6.1.\n\n                                                                FY 2007 Performance and Accountability Report       181\n\x0cFinancial Section\n\n\n\n\n      With the addition of some final policy documentation in FY 2008 and further strengthening of OCFO monitoring\n      and oversight, management expects to improve the timeliness and effectiveness of the controls over budgetary\n      accounting so that all elements of this finding will be resolved in FY 2008.\n\n      Regarding the $693 million budgetary entry miscoding error, OCFO provided documentation demonstrating that\n      the end-of-year reconciliations would have detected the misclassified budgetary entry had the auditor not\n      detected it during the course of the audit. This reconciliation, along with other key analytics, confirmed the\n      accuracy of budgetary and proprietary accounting as part of the annual financial statement preparation process.\n      Beginning in December 2007, management will perform these analytical procedures monthly to further\n      strengthen DOL\xe2\x80\x99s financial processes.\n\n      Management is developing new, and strengthening existing, manual and system controls relating to obligation\n      adjustments.\n\n\n4. Lack of Segregation of Duties over Journal Entries\n\n      During the FY 2006 audit, we noted that accounting staff from all DOL agencies were able to prepare and enter\n      journal entries into the Department of Labor Accounting Related Systems (DOLAR$) without approval. By\n      allowing individuals the authority to prepare and approve their own transactions in DOLAR$, there is an\n      increased risk that a material error would not be prevented or detected and corrected in a timely manner.\n\n      We recommended that management reconfigure DOLAR$ so that journal entries entered into the DOLAR$\n      general ledger system and its successor system are required to be approved electronically by an individual other\n      than the preparer before posting. We also recommended that agencies implement manual compensating review\n      controls until system controls have been implemented.\n\n      During the FY 2007 audit, we found that management had not made the recommended changes to DOLAR$.\n      During the second quarter of FY 2007, the OCFO had developed Department-wide manual policies and\n      procedures designed to ensure the segregation of journal entry preparation and approval authority. However, our\n      test of 21 sample journal entries from October 1, 2006 through June 30, 2007, noted that 16 of the journal entries\n      did not have supporting documentation evidencing management review and approval.\n\n      Since the Department did not make, or plan, changes to DOLAR$ to segregate journal entry preparation and\n      approval authority in DOLAR$, and has changed its plans to implement a new general ledger system, we\n      consider the system related recommendation we made in FY 2006 unresolved. To resolve the recommendation,\n      management needs to provide a corrective action plan with timeframes to implement a new general ledger system\n      that requires electronic approval by someone other than the preparer before journal entries are posted.\n\n      Because management implemented new policies and procedures for part of FY 2007, we consider the manual\n      control recommendation made in FY 2006 as resolved and open. To close this recommendation, management\n      should formalize the Department-wide policies and procedures for documenting the preparation and review of\n      journal entries; and enforce these policies and procedures. Management should ensure that all journal entries are\n      properly supported and documented. Documentation should authenticate the posting of the entry and the users\n      who recorded and authorized the transaction in DOLAR$.\n\n      Management\xe2\x80\x99s Response: In the second quarter of FY 2007, management developed and implemented a new\n      policy that has produced positive results in improving management controls associated with DOLAR$ journal\n      vouchers (JV). This new policy requires documentation be maintained with the JV entries to support transactions\n      and requires that proper authorizations and approvals be shown on the documents. While the auditor noted that\n      weak segregation of duties in the JV process increases the risk of potential misstatement, OCFO employs other\n\n\n182     United States Department of Labor\n\x0c                                                                                   Independent Auditors\xe2\x80\x99 Report\n\n                                                                                        Significant Deficiencies\n                                                                                                        Exhibit I\n\n\ncompensating controls to mitigate this risk and these compensating controls provide reasonable assurance over\nthe accuracy and reliability of JV entries. OCFO will further refine the existing JV policy to strengthen\nsegregation of duties by January 2008.\n\nHaving addressed the segregation of duties with manual controls in the JV process, OCFO does not intend to\nautomate this control in the current operating environment as the DOLAR$ accounting system is at the end of its\nplanned life-cycle, where extensive system changes are no longer cost effective. Management will ensure that\nthe new system that replaces DOLAR$, planned for implementation by October 2009, dependent on the\navailability of funding, contains electronic controls over the JV process.\n\nAuditor Response. Based on management\xe2\x80\x99s response, the unresolved recommendation to implement an\nelectronic approval by someone other than the preparer in the new general ledger system is now resolved and\nopen.\n\n\n\n\n                                                          FY 2007 Performance and Accountability Report     183\n\x0c                                                                                        Independent Auditors\xe2\x80\x99 Report\n\n                                                                                                 Compliance Matters\n                                                                                                           Exhibit II\n\n\n\n\n1. Anti-deficiency Act\n\n      During FY 2007, DOL management concluded that two Anti-deficiency Act violations had occurred. The first\n      violation totaled $130,569,041 and the second violation totaled $29,103. The DOL Secretary has reported the\n      violations to the President of the United States, the President of the Senate, the Speaker of the House of\n      Representatives, and the Comptroller General of the United States, as required by 31 U.S.C. section 1351.\n\n      The first violation occurred in the Employment and Training Administration (ETA) Training and Employment\n      Services (TES) account (160174) for Program Year 2005. This violation involved the obligation of budgetary\n      resources in excess of a fiscal year 2006 apportionment, but did not involve obligations in excess of an\n      appropriation. The second violation occurred in the Employment Standards Administration (ESA) Salaries and\n      Expense account (160150) for fiscal years 2005, 2006, and 2007. The violation represents the compensation paid\n      from March 20, 2005 through November 3, 2006 to an ESA employee who was a citizen of Mexico. This action\n      violated a general provision in the fiscal year 2005 and fiscal year 2006 appropriations.\n\n      No recommendation is considered necessary since management has completed required reporting related to these\n      violations.\n\n\n\n\n184     United States Department of Labor\n\x0c'